b"   March 13, 2002\n\n\n\n\nInformation\nSystem Security\nAir Force Web Site Administration,\nPolicies, and Practices\n(D-2002-062)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality              Integrity        Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General, DoD,\n  Home Page at www.dodig.osd.mil/audit/reports or contact the Secondary Reports\n  Distribution Unit of the Audit Followup and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nGILS                  Government Information Locator Service\nJWRAC                 Joint Web Risk Assessment Cell\n\x0c\x0c                       Office of the Inspector General, DoD\nReport No. D-2002-062                                                March 13, 2002\n   (Project No. D2001AB-0116)\n\n        Air Force Web Site Administration, Policies, and Practices\n\n                                Executive Summary\n\nIntroduction. This report is one in a series that address Internet access, practices, and\npolicies. Subsequent reports will cover Web site administration within the Army and\nDoD. The Naval Audit Service plans to issue a separate report based on the audit of\nWeb site administration within the Navy and the Marine Corps.\n\nThis report evaluates Internet access, practices, and policies for Air Force Web site\nadministration. In April 2001, the Air Force issued \xe2\x80\x9cTransmission of Information Via\nthe Internet,\xe2\x80\x9d Air Force Instruction 33-129. Air Force Instruction 33-129 defines the\nroles and responsibilities of personnel establishing, revising, and operating an Internet\nWeb site. It prohibits the display of classified and sensitive information on publicly\naccessible Air Force Web sites, and it requires annual reviews to ensure compliance to\nAir Force and DoD policy. Air Force Instruction 33-129 also requires major Air Force\ncommands and wing level commanders to register their Web sites with Air Force Link\nthat serves as a registration database for data into the Government Information Locator\nService. The Government Information Locator Service helps citizens identify, locate,\nand retrieve information about their government.\n\nObjectives. Our objective was to evaluate Air Force policies and practices for Web\nsite administration and oversight. Specifically, we reviewed how the Air Force hosts\nofficial Web sites and how it registers and monitors Web sites for compliance with\npolicy and safeguards sensitive information. We also evaluated the management control\nprogram as it related to the overall objective.\n\nResults. The Air Force had not developed adequate plans to annually review its Web\nsites. In addition, the listing of Air Force publicly accessible Web sites recorded in Air\nForce Link did not match the data reported in Government Information Locator\nService. As a result, the Air Force had 140 publicly accessible Web sites that included\npotentially inappropriate information. Further, the process for the removal of sensitive\ninformation was not reliable. In positive actions, the Air Force developed a new\ntraining program for personnel working on Web sites, and oversight of Air Force Web\nsites has improved with the establishment of the Air Force Web Risk Assessment Cell.\nSee Appendix A for details on the management control program concerning the\nperformance of annual reviews and the establishment of a followup system to ensure all\nissues relating to the posting of inappropriate data on Web sites are resolved. For\ndetails of the audit results, see the Finding section of the report.\n\nSummary of Recommendations. We recommend that the Director, Office of Public\nAffairs, Department of the Air Force, establish a process to conduct annual multi-\ndisciplinary reviews of Web sites, report results of the reviews to the Chief Information\nOfficer, Department of the Air Force, and establish a followup system to ensure\n\x0ccorrective actions are implemented when inappropriate postings are identified. We also\nrecommend that the Chief Information Officer, Department of the Air Force revise\nAir Force Instruction 33-129, \xe2\x80\x9cTransmission of Information via the Internet\xe2\x80\x9d, April 4,\n2001, to require annual reviews that verify and match data in the Air Force Link with\ndata contained in the Government Information Locator Service.\n\nManagement Comments. The Chief Information Officer, Department of the Air\nForce, who responded for the Air Force, concurred with the recommendations.\nSpecifically, the Office of Public Affairs, Department of the Air Force, is establishing a\nprocess to ensure information is screened prior to posting. Web masters will review\nWeb sites for unauthorized information, and the Office of Public Affairs, Department\nof the Air Force, will accomplish annual and spot reviews to verify compliance with\npolicy and assure content accuracy. The Air Force intends to develop and implement\nthe review process within 6 months. The Chief Information Officer of the Air Force\nalso stated that the Deputy Chief of Staff, Communications and Information had already\nbegun the process of issuing a revised Air Force Instruction 33-129, \xe2\x80\x9cTransmission of\nInformation Via the Internet,\xe2\x80\x9d April 4, 2001. In addition, the Chief Information\nOfficer, Department of the Air Force will ensure that Air Force Link and Government\nInformation Locator Service data are consistent and that public Web sites do not\ndisclose inappropriate data.\n\n\n\n\n                                            ii\n\x0cTable of Contents\n\nExecutive Summary                                          i\n\n\nIntroduction\n     Background                                            1\n     Objectives                                            2\n\nFinding\n     Air Force Internet Access, Practices, and Policies   3\n\nAppendixes\n     A. Audit Process\n         Scope and Methodology                             9\n         Management Control Program Review                10\n         Prior Audit Coverage                             10\n     B. Report Distribution                               12\n\nManagement Comments\n     Department of the Air Force                          13\n\x0cBackground\n           DoD Web Page Policy. The \xe2\x80\x9cDoD Web Site Administration Policy and\n           Procedures,\xe2\x80\x9d (the Policy) implemented December 7, 1998, and updated\n           April 26, 2001, describes procedures for establishing, operating, and\n           maintaining DoD unclassified Web sites. The Policy requires heads of DoD\n           Components to establish a process to identify appropriate information for\n           posting to Web sites. The Policy ensures that all information placed on publicly\n           accessible Web sites is reviewed for security levels of sensitivity and other\n           concerns before the information is released.\n\n           In addition, the Policy requires Components to establish procedures for\n           management oversight and a regular functional review of Web sites, and to\n           provide necessary resources to support Web site operations including funding,\n           staffing, and training. It also requires an annual security assessment of Web\n           sites. Moreover, Components must register each publicly accessible Web site\n           with the Government Information Locator Service (GILS). GILS helps citizens\n           identify, locate, and retrieve information about their government. GILS resides\n           on Defense Link, which is the official Web site for DoD and the starting point\n           for finding military information online about defense policy, organizations,\n           functions, and operations.\n\n           The Policy defines a DoD Web site as a collection of information organized into\n           a number of Web documents related to a common subject or set of subjects\n           including a Home Page and links to subordinate information that is included on\n           a Web page. A Home Page is the index or introductory document for a Web\n           site. A Web site is developed and maintained with command sponsorship,\n           approval, and editorial supervision over content.\n\n           DoD Oversight of Web Content. On February 25, 1999, the Secretary of\n           Defense approved the Joint Web Risk Assessment Cell (JWRAC) plan to use\n           Reserve assets to conduct ongoing security and threat assessments of\n           Components Web sites. The JWRAC is responsible for analyzing data on DoD\n           Web sites for information that poses potential or real threats to ongoing\n           operations and DoD personnel. Inappropriate data include data labeled \xe2\x80\x9cFor\n           Official Use Only,\xe2\x80\x9d \xe2\x80\x9csensitive,\xe2\x80\x9d classified, and other information at one or\n           more sites that combined, would be sensitive or classified, and should not be\n           released to the general public.\n\n           Air Force Policy on Web Sites. Air Force Instruction 33-129, \xe2\x80\x9c Transmission\n           of Information via the Internet,\xe2\x80\x9d dated April 4, 2001,1 defines the roles and\n           responsibilities of personnel using and maintaining the Internet. It assigns the\n           development of policy to the Air Force Director of Communication and\n           Information who is the Deputy Chief Information Officer for the Air Force. It\n           prohibits the display of offensive and obscene material, and prohibits links to\n           offensive or unrelated commercial sites at Air Force Web sites. It also requires\n\n1\n    Air Force Instruction 33-129 was originally issued on August 1, 1999.\n\n\n\n                                                     1\n\x0c     Air Force officials to develop procedures for establishing and maintaining a\n     public Web site and to conduct multi-disciplinary annual reviews of Web sites.\n     The multi-disciplinary annual reviews include representatives from\n     communications and information, public affairs, legal, contracting and\n     operations, and other necessary disciplines to review questions concerning the\n     sensitivity of information on public Web sites.\n\n     Air Force Instruction 35-101, \xe2\x80\x9cPublic Affairs Policies and Procedures,\xe2\x80\x9d dated\n     December 1, 1999, defines prohibited information such as links to offensive or\n     unrelated commercial material, disclosure of sensitive movements of military\n     assets and personnel, locations of units and installations, personal information\n     protected under the Privacy Act, copyright information, trademarks and logos,\n     and classified information. Air Force Instruction 35-101 requires that the Office\n     of Public Affairs serve as the point of contact to conduct the multi-disciplinary\n     periodic reviews; determine the appropriateness of content, design, and\n     operations of an Air Force Web site; and provide direction for registering public\n     Web sites with GILS.\n\n     Air Force Instruction 35-101 further requires major Air Force commands and\n     wing level commanders to register their Web sites with Air Force Link, that the\n     Office of Public Affairs maintains. The Link serves as a registration database\n     for information recorded in GILS. Registration requires that officials record\n     information such as Web site title, internet address, major Air Force command,\n     base location, point of contact, and other pertinent Web site information.\n\nObjectives\n     Our objective was to evaluate Air Force policies and practices for Web site\n     administration and oversight. Specifically, we reviewed how the Air Force\n     hosts official Web sites, and how it registers and monitors Web sites for\n     compliance with policy and safeguards sensitive information. We also evaluated\n     the management control program as it relates to the overall objective. See\n     Appendix A for a discussion of the audit scope and methodology, the\n     management control program, and prior audit coverage.\n\n\n\n\n                                         2\n\x0c           Air Force Internet Access, Practices,\n           and Policies\n           The Air Force had not developed adequate plans to annually review its\n           Web sites. This occurred because the Director, Office of Public Affairs,\n           Department of the Air Force, did not monitor the conduct of required\n           annual reviews and it did not follow-up and resolve findings identified\n           during the annual reviews in a timely manner. In addition, the listing of\n           Air Force publicly accessible Web sites recorded in Air Force Link did\n           not match the data reported in GILS. Officials stated that this occurred\n           because Air Force Link was damaged when GILS was upgraded,\n           resulting in a failure to maintain matching databases. As a result, the\n           Air Force had 140 publicly accessible Web sites that included potentially\n           inappropriate information. Further, the process for the removal of\n           sensitive information was not reliable. In positive actions, the Air Force\n           developed a new training program for personnel working on Web sites,\n           and oversight of Air Force Web sites has improved with the\n           establishment of the Air Force Web Risk Assessment Cell.\n\nInformation on Air Force Public Web Sites\n    In June 2001, the Office of the Deputy Assistant Secretary of Defense\n    (Intelligence) identified 140 Air Force Web sites that were publicly accessible\n    and contained information that was identified with warnings such as\n    \xe2\x80\x9cDestruction Notice,\xe2\x80\x9d \xe2\x80\x9cFor Official Use Only,\xe2\x80\x9d \xe2\x80\x9cDistribution Authorized,\xe2\x80\x9d\n    \xe2\x80\x9cDistribution Limited,\xe2\x80\x9d \xe2\x80\x9cPre-decisional,\xe2\x80\x9d and \xe2\x80\x9cSecret.\xe2\x80\x9d All the warnings\n    restrict the audience and are not for general public consumption.\n\n    During June 2001, the Deputy Assistant Secretary of Defense (Intelligence)\n    submitted information on those 140 sites and related information to JWRAC for\n    analysis. If the sites are analyzed, the results of the JWRAC analysis will help\n    the Air Force identify information that should not be included on Web sites\n    accessible by the general public.\n\nAnnual Reviews of Air Force Web Sites\n    Of the three major Air Force commands and wing level commanders visited,\n    two major commands and one wing level commander did not conduct annual\n    reviews since 2000. Also, the Director, Office of Public Affairs, Department of\n    the Air Force, neither ensured the completion of the annual reviews nor\n    resolved issues identified during the reviews.\n\n           Air Force Special Operations Command. Personnel at the Air Force\n    Special Operations Command conducted one multi-disciplinary review in the\n    summer of 2000. Air Force officials did not prepare a written report on the\n    review results but would alert page maintainers if inappropriate information was\n    posted on their Web sites. Also, Air Force officials did not conduct later\n\n\n                                        3\n\x0creviews because they were awaiting a revised command instruction that\nprovided guidance on conducting the annual assessments. On August 3, 2001,\nAir Force officials agreed to conduct the annual multi-disciplinary review as\nrequired by Air Force Special Operations Command Instruction 33-303,\n\xe2\x80\x9cCommunications and Information,\xe2\x80\x9d November 1, 1999.\n\n        Air Mobility Command. Officials from the Air Mobility Command\nconducted a multi-disciplinary review in early 1999, and sent the results to\nHeadquarters U.S. Air Force, Communication and Information. The results of\nthe review indicated that sensitive information did not appear on publicly\naccessible Web sites. Since 1999, officials have not conducted further reviews.\nHowever the command office of public affairs reviewed all changes to the\ncommand Web sites. The officials stated that the risk of improper data located\nat the Web site was reduced.\n        375th Airlift Wing. The 375th Airlift Wing conducted a multi-\ndisciplinary review in 1999, and reported the results to the Vice Commander,\nAir Mobility Command. The results of the review indicated that sensitive\ninformation did not appear on publicly accessible Web sites. However, the\n375th Airlift Wing had not performed a review subsequent to 1999 because\nofficials stated that they were not tasked to conduct the review.\n\n        Air Force Public Affairs. Officials from the Office of Public Affairs,\nDepartment of the Air Force, and the Headquarters U.S. Air Force,\nCommunication and Information required the annual multi-disciplinary reviews\nin March 2001, with completion by April 2001. However, they did not\nfollowup with major command and air wing level commanders who did not\nrespond by the due date. This occurred because of personnel changes and the\nfollowup duties remained unassigned. In addition, the Office of Public Affairs,\nDepartment of the Air Force, did not follow up and resolve findings identified\nduring the annual reviews in a timely manner. During the audit, Air Force\nofficials from the Office of Public Affairs, Department of the Air Force, agreed\nthat a process to ensure that major Air Force commands and wing level\ncommanders conduct annual reviews and establish a followup system to resolve\nissues identified during the annual reviews was needed.\n\nThe annual multi-disciplinary reviews are a necessary part of Web site\nadministration. The reviews help ensure that only information germane to the\ngeneral public is posted for review and public dissemination. Although Air\nForce Instruction 33-129 requires an annual review, and the Office of Public\nAffairs, Department of the Air Force, and the Headquarters U.S. Air Force,\nCommunication and Information Office jointly tasked the effort in March 2001,\na process is needed to ensure that all annual reviews are conducted, results are\nreported to the Chief Information Officer of the Air Force, and a followup\nsystem is in place to ensure corrective actions are implemented when\ninappropriate postings are identified.\n\n\n\n\n                                    4\n\x0cWeb Site Registration in Air Force Link and Government\n Information Locator Service\n    Listings of Air Force Web sites accessible to the general public as shown in Air\n    Force Link are different from those registered in GILS. As of August 22, 2001,\n    there were 607 registered Air Force Web sites listed on Air Force Link. There\n    were 421 Air Force listings in GILS. Only 170 were listed at both sites with the\n    remainder listed either only in GILS (251) or with Air Force Link (437). Air\n    Force officials from the Office of Public Affairs, Department of the Air Force,\n    stated that Air Force Link was damaged when GILS was updated, resulting in a\n    failure to keep the two databases identical. In addition, officials stated that they\n    revised the registration process since May 2001 so that the registration\n    information directs registrants to the GILS Web site. However, they stated that\n    they did not have the resources to compare the lists of publicly accessible Air\n    Force Web sites recorded in the Air Force Link to those reported in GILS.\n\n    Although registration is a requirement for Air Force Link and GILS, there is no\n    requirement to ensure that both listings are identical and current. As part of the\n    multi-disciplinary annual review, major commands and wing level commanders\n    should ensure that the information in both listings are current, identical, and\n    discrepancies reported and corrected. Oversight and identical registration will\n    ensure that Air Force officials have a listing of all publicly accessible Web sites\n    so that when policy changes occur, it can be disseminated to Web officials;\n    when training requirements are established, training can be planned and taken;\n    and when performing annual reviews, all publicly accessible sites can be\n    analyzed. Air Force Instruction 33-129 must be revised because it only requires\n    the annual review to analyze the Web sites and pages rather than the validity,\n    currency, and consistency of information included in Air Force Link and GILS.\n\nTraining of Web Personnel\n    The Air Force Communications Agency is developing a computer based training\n    course for Web masters and other Web administration personnel such as page\n    maintainers. A Web master is a system administrator for a Web server, which\n    hosts the Home Page. The Web master is responsible for operations of the\n    server, security, maintenance, registration with Air Force Link, and posting of\n    appropriate information on a Web site. A page maintainer assists the Web\n    master implementing access and security controls over the Web site, and also\n    develops and maintains subordinate pages, reviews, and documents; obtains\n    release approval on material; validates links to ensure proper access and control;\n    and ensures outdated data is removed from a Web site. The course includes a\n    4-hour session with a 1-hour review followed by questions that must be\n    answered with a 70 percent correct score for successful completion of the\n    course. Instruction topics include Web administration, roles of personnel, the\n    Web server, system security, Web site establishment, page design, and the\n    collection of information.\n\n\n\n\n                                         5\n\x0c    The training will enable participants to perform essential Internet administration\n    tasks and manage the enterprise in a secure manner. Air Force officials indicate\n    that the course will be a mandatory requirement for current Web masters and\n    other Web personnel. In addition, newly designated personnel must take the\n    course before they are assigned Web administration duties. Air Force officials\n    also plan to include the course as a requirement for other network professionals.\n\n    The course development is a positive initiative and will ensure that individuals,\n    who are assigned the responsibility for Web site administration, will receive\n    training on policy and practice.\n\nAir Force Web Risk Assessment Cell Established\n    In August 2000, the Air Force established an Air Force Web Risk Assessment\n    Cell that is responsible for vulnerability analyses and threat assessments of the\n    content of Air Force Web sites. The cell analyzes content and data on Air\n    Force Web sites. It also reviews cross sectional Web information, trend\n    analysis, and data aggregation where unclassified information from multiple\n    Web sites could be combined to create sensitive or classified information that\n    could pose a threat to ongoing operations or personnel. Also, it reviews Air\n    Force Web sites for compliance with Air Force instructions, ensures recognition\n    and reporting of vulnerabilities at one or multiple Web sites, and notifies\n    officials of the results. The cell reports routine observations on a scheduled\n    basis to the commanders of major commands, direct reporting units and field\n    operating agencies, and reports critical observations immediately to respective\n    Air Force officials.\n\n    The cell has only issued one report dated April 2, 2001. The report was\n    addressed to Headquarters U.S. Air Force, Communications and Information,\n    and identified six Air Force sites with \xe2\x80\x9cFor Official Use Only\xe2\x80\x9d information,\n    sensitive information, and access issues. The report stated that officials were in\n    the process of defining the report format and frequency. When the report was\n    issued in April 2001, four of the six identified issues were closed and Air Force\n    officials were addressing the other two. Air Force officials informed us that\n    they subsequently defined the resources needed to perform the review, including\n    funding and training requirements for involved personnel, and the process for\n    reporting and following up results. The cell began further assessments in\n    September 2001.\n\n    The establishment of the Air Force Web Risk Assessment Cell will complement\n    the Joint Web Risk Assessment Cell. It will provide the Air Force an\n    assessment of the content of its Web sites and will help to deter Web site\n    misuse.\n\n\n\n\n                                         6\n\x0cSummary\n    GILS was established to help citizens identify, locate, and retrieve information\n    about their government. Web sites must be informative and contain only\n    information appropriate for posting. To achieve this, managers who are\n    responsible for Web administration including posting information on Web sites,\n    must be aware of the policy and process for establishing and revising Web sites\n    as well as appropriate Web page content. Training in Web site administration is\n    a first step to safeguarding sensitive information along with the establishment of\n    an oversight Web risk assessment cell. In addition, performing annual multi-\n    disciplinary reviews is imperative. Further, a listing of Web masters and Web\n    sites that are consistently reported in DoD and Air Force databases will help\n    facilitate the distribution of new policy, assist in the oversight of known public\n    Web sites, and ensure training of appropriate officials. All of those steps will\n    help prevent the disclosure of sensitive movements of military assets or\n    personnel; locations of units, installations, or personnel; personal information\n    protected under the Privacy Act; copyright information; trademarks and logos;\n    and classified information at Air Force publicly accessible Web sites.\n\nRecommendations and Management Comments\n    1. We recommend that the Director, Office of Public Affairs, Department\n       of the Air Force:\n\n          a. Establish a process for conducting annual multi-disciplinary\n    reviews of Web sites and for reporting the review results to the Chief\n    Information Officer, Department of the Air Force.\n\n            b. Establish a followup system to ensure corrective actions are\n    implemented when inappropriate postings to Air Force Web sites are\n    identified.\n\n    2. We recommend that the Chief Information Officer, Department of the\n       Air Force revise Air Force Instruction 33-129, \xe2\x80\x9cTransmission of\n       Information via the Internet\xe2\x80\x9d, April 4, 2001, to require annual reviews\n       that verify and match data contained in Air Force Link with data\n       contained in Government Information Locator Service.\n\n    Management Comments. The Chief Information Officer, Department of the\n    Air Force, who responded to our memorandum to the Assistant Secretary of the\n    Air Force (Financial Management and Comptroller), concurred. Specifically,\n    the Office of Public Affairs, Department of the Air Force, is establishing a\n    process to ensure information is screened prior to posting. Web masters will\n    review Web sites for unauthorized information and Public Affairs will\n    accomplish annual and spot reviews to verify compliance with policy and assure\n    content accuracy. The Air Force intends to develop and implement the review\n    process within 6 months. The Chief Information Officer also stated that the\n    Deputy Chief of Staff, Communications and Information, Department of the Air\n    Force, had already begun the process of issuing a revised Air Force Instruction\n    33-129, \xe2\x80\x9cTransmission of Information Via the Internet.\xe2\x80\x9d In addition, the Chief\n\n\n                                        7\n\x0cInformation Officer, Department of the Air Force will ensure that Air Force\nLink and Government Information Locator Service data are consistent and that\npublic Web sites do not disclose inappropriate data.\n\n\n\n\n                                  8\n\x0cAppendix A. Audit Process\n\nScope and Methodology\n    We visited three major Air Force commands including the Air Force Special\n    Operations Command, the Air Mobility Command, and the Air Education and\n    Training Command. We selected the Air Force Special Operations Command\n    because it supports a unified DoD command. We selected the Air Mobility\n    Command because it was located at the site of the Air Force Communications\n    Agency where Web training is being developed, and we selected the Air\n    Education and Training Command because it was located near the Air Force\n    Joint Web Risk Assessment Cell. The Air Wings visited include the 375th\n    Airlift Wing, the 16th Special Operations Wing, and the 12th Flying Training\n    Wing that were located at the major commands visited. Although we reviewed\n    three Air Force major commands and three Air Force air wing commanders,\n    our results do not reflect a projection of all Air Force major commands and air\n    wing commanders. We reviewed and evaluated Web site policies of the Air\n    Force for Web site locations available to the public. We conducted discussions\n    with Air Force officials to evaluate whether policies and practices were\n    adequate, and we reviewed records and documents from December 1998 until\n    August 2001.\n\n    Audit Type, Dates and Standards. We performed this program results audit\n    from May 2001 through September 2001 in accordance with generally accepted\n    government auditing standards.\n\n    Use of Computer-Processed Data. We relied on computer-processed data\n    without performing tests of system general and application controls to confirm\n    the reliability of the database. However, not establishing the reliability of the\n    database will not affect the results of our audit. We relied on judgmental\n    sampling procedures to develop conclusions on this audit.\n\n    Use of Technical Assistance. A computer specialist from the Information\n    Systems Directorate, Office of the Assistant Inspector General for Auditing,\n    DoD, assisted the auditors in reviewing the registration of Web sites in the Air\n    Force Link and GILS databases. The computer specialist performed a\n    comparison of the databases to determine the Web sites that were contained in\n    both databases.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DoD. Further details are available on request.\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in the DoD. This report provides coverage\n    of the Information Security high-risk area.\n\n\n\n\n                                         9\n\x0cManagement Control Program Review\n    DoD Directive 5010.38, \xe2\x80\x9c Management Control (MC) Program,\xe2\x80\x9d August 26,\n    1996, and DoD Instruction 5010.40, \xe2\x80\x9cManagement Controls (MC) Program\n    Procedures,\xe2\x80\x9d August 28, 1996, require DoD managers to implement a\n    comprehensive system of management controls that provide reasonable\n    assurance that programs are operating as intended and to evaluate the adequacy\n    of the controls.\n\n    Scope of Review of the Management Control Program. We reviewed the\n    adequacy of Air Force management controls over DoD and Air Force policies\n    and practices for Web site administration and oversight. In assessing those\n    controls, we evaluated policies and practices on how Government or other\n    servers host official Air Force Web sites, and how the Air Force registers and\n    monitors Web sites for compliance with policy and safeguards sensitive\n    information. We reviewed management\xe2\x80\x99s self-evaluation applicable to those\n    controls.\n\n    Adequacy of Management Controls. We identified material management\n    control weaknesses for the Air Force as defined by DoD Instruction 5010.40.\n    Air Force management controls for oversight of Air Force Web sites were not\n    adequate to identify a complete listing of Web sites, conduct annual multi-\n    disciplinary reviews, and establish a followup system to track inappropriate\n    information posted. The recommendations, if implemented, will improve the\n    oversight and Web site administration process. A copy of the report will be\n    provided to the senior officials responsible for management controls in the\n    Office of the Assistant Secretary of Defense (Command, Control,\n    Communications, and Intelligence).\n\n    Adequacy of Management\xe2\x80\x99s Self-Evaluation. The Director, Office of Public\n    Affairs, Department of the Air Force, did not identify oversight of Air Force\n    Web sites as an assessable unit and, therefore, did not identify or report the\n    material management control weakness identified by the audit.\n\nPrior Coverage\n    General Accounting Office\n\n    During the last five years, GAO has issued two reports on the issue of Internet\n    privacy.\n\n    GAO Report No. GAO-01-147R \xe2\x80\x9cInternet Privacy: Federal Agency Use of\n    Cookies,\xe2\x80\x9d October 20, 2000\n\n    GAO Report No. GAO/AIMD-00-296R (OSD Case No. 2074) \xe2\x80\x9cInternet\n    Privacy: Comparison of Federal Agency Practices With FTC' Fair Information\n    Principles,\xe2\x80\x9d September 11, 2000\n\n\n\n                                       10\n\x0cInspector General, DoD\n\nInspector General, DoD, Report No. D2001-130, \xe2\x80\x9cDoD Internet Practices and\nPolicies,\xe2\x80\x9d May 31, 2001\n\nAir Force Audit Agency\n\nAir Force Audit Report No. 99066038, \xe2\x80\x9cWeb Page Management,\xe2\x80\x9d\nNovember 8, 2000\n\n\n\n\n                                11\n\x0cAppendix B. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Acquisition)\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\nDirector, Secretary of the Air Force, Office of Public Affairs\n\nOther Defense Organization\nDirector, Defense Information Systems Agency\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n     Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                         12\n\x0cDepartment of the Air Force\nComments\n\n\n\n\n                   13\n\x0cAudit Team Members\nThe Acquisition Management Directorate, Office of the Assistant Inspector General for\nAuditing, DoD, prepared this report. Personnel of the Office of the Inspector General,\nDoD, who contributed to the report are listed below.\n\nMary Ugone\nThomas S. Bartoszek\nThomas J. Hilliard\nLisa E. Novis\nThelma E. Jackson\nCarrie Gravely\nMandi Markwart\nPatrice Cousins\nConstance Halahan\nAnn Ferrante\nJenshel D. Marshall\n\x0c"